Originally published on www.beckershospitalreview.com Written by Cliff Kittle, Principle, Healthcare Information Security, SecureWorks and Mary Chaput, CFO, Clearwater Compliance | July 11, 2017
Download the latest White Paper written by Cliff Kittle and Mary Chaput
HIPAA Regulation was created for the purpose of setting a baseline standard for the security and privacy of patient data. The standard was set for the environment that existed at that time.
In the succeeding years, the environment has changed dramatically while the regulation (standard for security) has remained stagnant. The result is a governing regulation for privacy and security that does not address the threats confronting the industry today. Health & Human Services (HHS) Deputy Chief Information Security Officer Leo Scanlon, in testimony to the House Energy and Commerce Committee June 8, 2017 said “The regulations in place weren’t designed for current threats. Regulatory mechanisms are fundamentally challenged by threat actors who work at machine speed. But it’s hard to avoid the place where we’re victimizing the victim.”
Additionally, the compliance mindset and philosophy towards information security has developed an attitude of complacency. It is an attitude spawned from a checklist approach that ends with “completion of the required checklist is ‘Good Enough’ security”.
HHS is shifting the focus of its cybersecurity efforts from compliance to risk identification. Risk identification relative to both data security and patient safety. As a result, multiple critical assets must be considered and appropriate security measures taken to defend each asset from the increasing number of attack vectors that threaten one or more of Confidentiality, Integrity, and Availability of that asset. WannaCry is an example of the threat to availability of data that potentially threatens the remaining elements of data security as well as patient safety. The increased DDoS attacks present a different yet similar outcome that must be defended against using tactics and strategy that differ slightly but parallel those necessary to defend against ransomware. More recently, the Petya/Not Petya malware is an example of how the threat actor is working at machine speed. Following closely on the heels of WannaCry, the attack resembled a global ransomware attack much like WannaCry. However, it was soon learned by analysts that the objective of this new attack was to permanently destroy data not hold it for ransom. This is an excellent example of the tactic of deception, associated with the Maneuver Warfare principle of “Surprise”, discussed in the whitepaper, “Applying the Doctrine of Maneuver Warfare to the Execution of a Cybersecurity Action Plan”. The Petya/NotPetya malware masqueraded as ransomware when, in fact, there was never an intention to demand a ransom. The purpose of the attack was to permanently destroy data. So the threat actor is using the tactic of deception to create surprise. Behavior such as that shown in the Petya/NotPetya attack demonstrates the continuously evolving threat environment in today’s healthcare industry, and is why ‘Good Enough’ must evolve to an attitude of “Never Enough”.
It is “Never Enough” because the threat actors never stop evolving. Perhaps, the next technique for gaining access to an organization’s critical assets was introduced by the WannaCry and NotPetya attacks. In both attacks, the campaigns used tools to propagate in a worm-like manner with no user intervention. Equally concerning is the belief that the volume of ransomware attacks will continue to increase as other major platforms are targeted. Two that have been mentioned are OSX and Android. A recent attack on a South Korean organization resulted in the largest recorded ransom payment, one million dollars, when the files on their Linux servers were encrypted.
The adversary’s continued effort to evolve in their tactics to compromise the critical data the healthcare organization has been entrusted with protecting must be met with a commitment to continuously improve and adjust their defensive posture. The necessary ‘Continuous Preparation’ behavior is not specifically addressed by the current HIPAA Regulation. Christos Dimitriadis, ISACA board chair and group head of information security at Intralot, has said “There is a significant and concerning gap between the threats an organization faces and its readiness to address those threats in a timely or effective manner. Cybersecurity professionals face huge demands to secure organizational infrastructure, and teams need to be properly trained, resourced and prepared.”
In order to achieve a level of “Continuous Preparation” necessary to compete with the “threat actor working at machine speed”, the security program must be guided by dynamic principles that support the enterprise strategy for achieving the information security posture set by the Board of Directors and Executive team of the organization.
In the whitepaper, “Applying the Doctrine of Maneuver Warfare to the Execution of a Cybersecurity Action Plan,” seven such dynamic principles are presented for use in support of the execution of an enterprise security strategy.